toxiceye | 1ee0f288b931c649d0442590346cb778a3706d74322c24e1714cf124e9f23b68

General

Target

1ee0f288b931c649d0442590346cb778a3706d74322c24e1714cf124e9f23b68.exe
Size

111KB
MD5

3cdefec5518d17dd30d6ae5d2b10a7aa
SHA1

d930c4be3e11056a01d88fc204ede07292b70a38
SHA256

1ee0f288b931c649d0442590346cb778a3706d74322c24e1714cf124e9f23b68
SHA512

1f12b82dba779a72be66d513ce72518f79bc97282211685bc9b42f0f1a8c2dd756cb372c44c917b11afcc6a71d581a6747f3acd5d6b54743f6b7b689a8c32f69
SSDEEP

1536:y+bAQAsnqLoM91qQIwxHxZxdyyKDWfCbhDqI64QWEzCrAZuhN7Dg:VbKsnwo0RZxjQbxqH4QWEzCrAZuhZg

Score

10^/10

toxiceye discovery rat trojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot7302074945:AAGKx5TnjPyRM_fqN4XQLd4uz-PUp4nl8w4/sendMessage?chat_id=6414125020

Signatures

ToxicEye
ToxicEye is a trojan written in C#.
rat trojan toxiceye

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1ee0f288b931c649d0442590346cb778a3706d74322c24e1714cf124e9f23b68.exerat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	1ee0f288b931c649d0442590346cb778a3706d74322c24e1714cf124e9f23b68.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

Processes:

rat.exe

pid process

2952 rat.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2840 tasklist.exe
3288 tasklist.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4504 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2180 schtasks.exe
2140 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

rat.exe

pid process

2952 rat.exe

pid	process
2840	tasklist.exe
3288	tasklist.exe

pid	process
4504	timeout.exe

pid	process
2180	schtasks.exe
2140	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

rat.exe

pid	process
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe
2952	rat.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

1ee0f288b931c649d0442590346cb778a3706d74322c24e1714cf124e9f23b68.exetasklist.exerat.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	3248	1ee0f288b931c649d0442590346cb778a3706d74322c24e1714cf124e9f23b68.exe
Token: SeDebugPrivilege	2840	tasklist.exe
Token: SeDebugPrivilege	2952	rat.exe
Token: SeDebugPrivilege	2952	rat.exe
Token: SeDebugPrivilege	3288	tasklist.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rat.exe

pid process

2952 rat.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

1ee0f288b931c649d0442590346cb778a3706d74322c24e1714cf124e9f23b68.execmd.exerat.execmd.exe

description	pid	process	target process
PID 3248 wrote to memory of 2140	3248	1ee0f288b931c649d0442590346cb778a3706d74322c24e1714cf124e9f23b68.exe	schtasks.exe
PID 3248 wrote to memory of 2140	3248	1ee0f288b931c649d0442590346cb778a3706d74322c24e1714cf124e9f23b68.exe	schtasks.exe
PID 3248 wrote to memory of 3972	3248	1ee0f288b931c649d0442590346cb778a3706d74322c24e1714cf124e9f23b68.exe	cmd.exe
PID 3248 wrote to memory of 3972	3248	1ee0f288b931c649d0442590346cb778a3706d74322c24e1714cf124e9f23b68.exe	cmd.exe
PID 3972 wrote to memory of 2840	3972	cmd.exe	tasklist.exe
PID 3972 wrote to memory of 2840	3972	cmd.exe	tasklist.exe
PID 3972 wrote to memory of 4696	3972	cmd.exe	find.exe
PID 3972 wrote to memory of 4696	3972	cmd.exe	find.exe
PID 3972 wrote to memory of 4504	3972	cmd.exe	timeout.exe
PID 3972 wrote to memory of 4504	3972	cmd.exe	timeout.exe
PID 3972 wrote to memory of 2952	3972	cmd.exe	rat.exe
PID 3972 wrote to memory of 2952	3972	cmd.exe	rat.exe
PID 2952 wrote to memory of 2180	2952	rat.exe	schtasks.exe
PID 2952 wrote to memory of 2180	2952	rat.exe	schtasks.exe
PID 2952 wrote to memory of 2896	2952	rat.exe	schtasks.exe
PID 2952 wrote to memory of 2896	2952	rat.exe	schtasks.exe
PID 2952 wrote to memory of 1784	2952	rat.exe	cmd.exe
PID 2952 wrote to memory of 1784	2952	rat.exe	cmd.exe
PID 1784 wrote to memory of 3288	1784	cmd.exe	tasklist.exe
PID 1784 wrote to memory of 3288	1784	cmd.exe	tasklist.exe
PID 1784 wrote to memory of 4544	1784	cmd.exe	find.exe
PID 1784 wrote to memory of 4544	1784	cmd.exe	find.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1ee0f288b931c649d0442590346cb778a3706d74322c24e1714cf124e9f23b68.exe
"C:\Users\Admin\AppData\Local\Temp\1ee0f288b931c649d0442590346cb778a3706d74322c24e1714cf124e9f23b68.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpCBAC.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpCBAC.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\system32\tasklist.exe
    Tasklist /fi "PID eq 3248"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Windows\system32\find.exe
    find ":"
    3⤵
    PID:4696
- - C:\Windows\system32\timeout.exe
    Timeout /T 1 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4504
- - C:\Users\ToxicEye\rat.exe
    "rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\ToxicEye\rat.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2180
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "Chrome Update"
      4⤵
      PID:2896
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpAE5C.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpAE5C.tmp.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 2952"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
    - - C:\Windows\system32\find.exe
        
        find ":"
        5⤵
        
        PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAE5C.tmp.bat

Filesize
131B

MD5
1451a531c0561a6dc71dd865af1b9e4b

SHA1
33efdbfb9b7ba929e8843795d32ee93d67d0693c

SHA256
80f4a2ce09e2b57f83edfc778928876aadf1b63720da55a0a32841438f9022d7

SHA512
9627ea87d9e9a54c90dce97d5c7637b2af728028c06293e1226baeef634f41698bb223ca28c5b874080d8e5180230a24315a0ebebb68f108c2170fc17cc83df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCBAC.tmp.bat

Filesize
241B

MD5
f4579e1633b83f0562b113b6175753dd

SHA1
16017d7ef700805abc721b6af596b12a5fac57f2

SHA256
41d6d19997cc69eecd135a3e6cfb4442148619f12c390a74df965e2e61484278

SHA512
9b1ae7ea19882812f393f8e7717deda5bd92a8c87101032be9cde17a17edf1a00eed266ca8ca1641787283dccd2f68030b723072d8927bb873f0017ba2e48d2b

Download Submit
C:\Users\ToxicEye\rat.exe

Filesize
111KB

MD5
3cdefec5518d17dd30d6ae5d2b10a7aa

SHA1
d930c4be3e11056a01d88fc204ede07292b70a38

SHA256
1ee0f288b931c649d0442590346cb778a3706d74322c24e1714cf124e9f23b68

SHA512
1f12b82dba779a72be66d513ce72518f79bc97282211685bc9b42f0f1a8c2dd756cb372c44c917b11afcc6a71d581a6747f3acd5d6b54743f6b7b689a8c32f69

Download Submit
memory/2952-11-0x000002CBEC0F0000-0x000002CBEC19A000-memory.dmp

Filesize
680KB

Download
memory/2952-12-0x000002CBEC220000-0x000002CBEC296000-memory.dmp

Filesize
472KB

Download
memory/3248-0-0x00007FFF4AD73000-0x00007FFF4AD75000-memory.dmp

Filesize
8KB

Download
memory/3248-1-0x000002B82B730000-0x000002B82B752000-memory.dmp

Filesize
136KB

Download
memory/3248-2-0x00007FFF4AD70000-0x00007FFF4B831000-memory.dmp

Filesize
10.8MB

Download
memory/3248-6-0x00007FFF4AD70000-0x00007FFF4B831000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads